Zooming in on privacy and cybersecurity controls in the wfh environment

Why implementing and enforcing effective controls over third-party service providers is more important than ever.

14 April 2020

Working from home (WFH) has become the new normal, and companies have increasingly turned to new technologies to assist in continuing to provide business services remotely. This emergency transformation, however, does not eliminate the need for companies to assess the quality and security of communication platforms prior to deploying these technologies in connection with the delivery of services. Recent developments related to Zoom, a popular videoconferencing platform, illustrate the need for companies to continuously assess and monitor their service providers. Privacy advocates and regulators have called into question Zoom's privacy practices, and the company now faces private litigation as well as inquiries by government authorities.

Complaints about Zoom's Data privacy and cybersecurity practices

Zoom's explosion in use has drawn the attention of regulators and privacy advocates. Zoom provides more than just videoconferencing. It gives a call's host the ability to track attendees and permits administrators to see—in real time—when, where, and how users are using Zoom. Such tools may have legitimate business benefits, but privacy advocates have expressed concerns over the invasive nature of such tracking.

Privacy advocates have also criticized Zoom's security practices. Zoom calls, by default, are not password protected. A recent report also found that Zoom does not use end-to-end encryption to secure its meetings despite stating that it does so on its website. The issues have prompted the New York Attorney General to request information from Zoom, including "what, if any, new security measures the company has put in place to handle increased traffic on its network and detect hackers," noting that in the past, "the company had been slow to address security flaws."

Consumers of Zoom's services are also asking questions. In late March, journalists reported that Zoom had been providing analytics data to Facebook when users opened Zoom's iOS app without the users' consent and without fully disclosing this use of data in its privacy policy. Zoom has since stated that it removed this data sharing from its app, but a class action suit has been filed in California alleging that Zoom had violated, among other things, the California Consumer Privacy Act by disclosing users' personal information to third parties like Facebook, "without adequate notice or authorization." In response, Zoom has said that it is now focusing all of its engineering resources on cybersecurity and privacy issues to address the concerns that have been raised.

But now Zoom is facing backlash from its shareholders. Earlier this week, a Zoom shareholder filed another class action suit against Zoom in California alleging that the company hid weaknesses in Zoom app's encryption.

Required Diligence of Third Parties

Performing thorough diligence of vendors can help to alleviate these risks. Regulation S-P requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures reasonably designed to protect consumer records and information. The SEC Office of Compliance Inspections and Examinations (OCIE) monitors compliance by conducting cybersecurity examinations or "sweeps" of entities it supervises. For 2020, the SEC OCIE has specifically highlighted third-party and vendor risk management as an area of focus in its exam priorities.

Other laws and regulations have similar requirements. In 2017, the New York Department of Financial Services (DFS) issued its Cybersecurity Regulation that, among other things, requires covered entities to have a third-party service provider security policy that includes identification and risk assessment of third-party service providers, contractual obligations mandating minimum cybersecurity practices, due diligence processes to evaluate the adequacy of the cybersecurity practices of third-party service providers, and periodic security audits and risk assessment. The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires companies that own or license data of New York residents to have reasonable security programs, including only selecting "service providers capable of maintain appropriate safeguards" and "requir[ing] those safeguards by contract." Finally, the California Consumer Privacy Act (CCPA) requires companies that do business in California to have contractual provisions prohibiting service providers from using or disclosing personal information they receive for purposes other than those specified in the contract.

Conclusion

The issues currently facing Zoom highlight the potential costs of inadequate cybersecurity and privacy policies, both for companies that provide services directly to consumers and for businesses that fail to ensure that their vendors adhere to best practices. During this unprecedented global situation, with employees working from home and sensitive information traveling electronically through third-party systems now more than ever, it is vital that companies know how their data is being transmitted, used, and stored, both by themselves and by their vendors. Otherwise, companies that use tools such as Zoom may also find themselves embroiled in litigation and regulatory investigations.

CLIFFORD CHANCE CYBER ASSIST

Our ability to respond rapidly to assist you in the event of a cyber attack is facilitated by our Cyber Assist App which enables you to contact us at any time, day or night.

We can advise you how to access the essentials and communicate when your systems are potentially inaccessible. We can host documents, such as your cyber response plans, on our secure document sites so that you can access critical documents safely and quickly during a crisis, even if your internal infrastructure is affected. We can outline the steps which regulators around the world expect you to take in the vital hours and days which follow and guide you through implementing that process. Our global team of cyber and data specialists is immediately available to you at the push of a button.